amazon-s3-encryption-client-java icon indicating copy to clipboard operation
amazon-s3-encryption-client-java copied to clipboard

Published 20 hours ago verified publisher icon aws

Range queries for undefined start or end bytes fails due to regex

Open tbaeg opened this issue 1 year ago • 3 comments

Problem:

Range queries without a start or end byte range fail due to https://github.com/aws/amazon-s3-encryption-client-java/blob/main/src/main/java/software/amazon/encryption/s3/legacy/internal/RangedGetUtils.java#L21.

Solution:

Adjust the regex to allow for start or end byte range to not exist.

tbaeg avatar Feb 01 '24 14:02 tbaeg

This will likely need adjustments to the lower/upper bound calls to support ranges without a start or end.

tbaeg avatar Feb 01 '24 15:02 tbaeg

Hello @tbaeg,

We've released a fix on 3.1.2 which allows the range to specify only the starting bytes without ending range

However, adding a feature to S3EC for range queries that only specify an end range, such as retrieving the last 20 bytes of a file, is difficult due to how encryption works. The S3EC supports decryption of objects encrypted using either AES-CBC or AES-GCM for content encryption. For GCM objects, an authentication tag is appended to the object. The content type is pulled from the object metadata, so it is not possible for the client to determine which algorithm is used before adjusting the range from the plaintext range to ciphertext range. It is possible to, for example, pull down additional bytes assuming GCM encryption, then discard the extra bytes if the algorithm is actually CBC. However, this is not trivial to implement, and will need be prioritized against other work. Currently, this feature is not on our immediate roadmap.

imabhichow avatar Mar 25 '24 21:03 imabhichow

Thank you for the work and the update!

tbaeg avatar Mar 30 '24 22:03 tbaeg